CVE-2025-1686

27.02.2025, 05:15

All versions of the package io.pebbletemplates:pebble are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ.

 Workaround

This vulnerability can be mitigated by disabling the include macro in Pebble Templates:

java
new PebbleEngine.Builder()
            .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()
                    .disallowedTokenParserTags(List.of("include"))
                    .build())
            .build();

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.8 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
snyk	CNA	6.8 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 39%

Vendor	Product	Version
pebbletemplates	pebble	*

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-73 - External Control of File Name or Path
The software allows user input to control or influence paths or file names that are used in filesystem operations.

References

https://github.com/PebbleTemplates/pebble/issues/680

https://github.com/PebbleTemplates/pebble/issues/688

https://pebbletemplates.io/wiki/tag/include

https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594